ActiveX update stars in Patch Tuesday critical quintet
It's that time of the month again
Microsoft released five critical patches on Tuesday as part of its latest Patch Tuesday update. The release also included three bulletins over security flaws rated by Redmond as "important".
The worst of the quintet is a flaw in ActiveX. This update also includes a kill bit for the Yahoo! Music Jukebox product, the topic of a proof of concept exploit. Proof that the security bug can be misused makes it a higher risk than the other four critical updates.
The other updates include a cumulative update for Internet Explorer, as well as Office and Windows fixes. Vista is as affected by these critical bugs as XP. Windows Servers are less exposed to these updates, but still need patching.
Observers such as the SANS Institute's Internet Storm Centre (ISC) think Microsoft has underestimated the seriousness of its three important updates. The ISC reckons a flaw that leaves Windows DNS clients vulnerable to spoofing because of entropy in a random number generator is better thought of as critical.
It also considers an input validation vulnerability in the windows kernel that allows privilege escalation, and multiple input validation vulnerabilities in Visio that might allow code injection, to be worse risks than Redmond cares to acknowledge.
In other patching news, Adobe pushed out a patch on Tuesday to addresses multiple vulnerabilities in Adobe Flash Player. Users are advised to update to version 220.127.116.11 of Adobe Flash to guard against potential code injection and cross site scripting risk.